Challenges and benefits of GDPR compliance

20 days before the new European General Data Protection Regulation (GDPR) enters into force, many companies still have questions about how to become compliant with its requirements. Luxembourg ICT Cluster members met for a workshop on 8 May to share their experiences of adapting to GDPR and even turning their compliance into a competitive advantage.

GDPR was designed to protect and empower all EU citizens regarding their data privacy and to reshape the way organisations across Europe approach this subject. It sets high standards for treating only necessary data with the consent of the individuals concerned as well as for IT security and data protection. “Being 100% technically compliant with GDPR is not possible,” said Cluster Manager Jean-Paul Hengen when he opened the event. “Implementing the state of the art is the right thing to do.”

Implementing common sense

GDPR is a complex regulatory framework. While many organisations struggle to know where to begin and how far they need to go in its implementation, there is no need to think that the hurdles are bigger than they actually are. “Some people have extreme interpretations of GDPR, but it is basically just common sense,” said Myriam Djerouni, RSSI at Luxith GIE and one of the four panellists at the event. She listed the key question each company needs to consider: What data do we have? Where is it stored? Who has access to it? The answers to these questions will point out what needs to be done to become GDPR compliant. She also highlighted the need to put in place procedures for how to act in case of a data breach, as companies have only 72 hours to notify the supervising authority once a breach has been discovered.

A benefit, not a burden

The panellists emphasised that all companies are concerned by GDPR and need to take its implementation seriously. “Every company is treating private data every day, and all personal data is sensitive,” said Pronewtech CEO Roland Streber. He vividly recommended workshop participants to start the GDPR process without delay if they had not already done so in order to be able to show some concrete progress in case of a possible audit.

“GDPR is an extensive exercise, and everyone in the company needs to be involved,” Meaghan Roberts, Program Manager & IT Project Manager at Docler Holding, pointed out. According to her, Docler has embraced the regulation and put much effort into developing developed tailor-made solutions for its websites so that users explicitly give consent every time they submit personal data. “Our adaptation to GDPR is a marketing tool,” she said. “We want to show our clients that we are at the forefront when it comes to respecting the law and that they can feel completely safe when using our services.”

Conflicting laws

Panellists and participants at this highly interactive event also discussed the difficulty of harmonising GDPR with other laws that also govern the preservation of personal data. While GDPR gives individuals the right to be “forgotten” by an organisation that thus must related personal delete, Manu Roche, Data Protection Officer at the Ligue Luxembourgeoise de Prévention et d’Action Médico-Sociales, pointed out that in practice this can be complicated. Employers, for example, are required by law to keep salary records for their employees during a period of 10 years. “Before being GDPR compliant, we first have to follow the local law,” Mr Roche concluded.

The Luxembourg Cluster Initiative fuel trust-based business partnerships and help companies go further together. Are you interested in becoming a member? Check out the clusters and contact the cluster managers or apply for membership online.

Luxinnovation contributes to the economic development of Luxembourg by fostering innovation, fuelling international growth and attracting foreign direct investment supported by: Ministry of the Economy, Ministry for Higher Education and Research, Luxembourg Chamber of Commerce, Luxembourg Chamber of Skilled Crafts and FEDIL – The Voice of Luxembourg’s Industry.